Search in sources :

Example 31 with JwsJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project syncope by apache.

the class JWTITCase method notBefore.

@Test
public void notBefore() throws ParseException {
    // Get an initial token
    SyncopeClient localClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
    AccessTokenService accessTokenService = localClient.getService(AccessTokenService.class);
    Response response = accessTokenService.login();
    String token = response.getHeaderString(RESTHeaders.TOKEN);
    assertNotNull(token);
    JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(token);
    String tokenId = consumer.getJwtClaims().getTokenId();
    // Create a new token using the Id of the first token
    Date now = new Date();
    long currentTime = now.getTime() / 1000L;
    Calendar expiry = Calendar.getInstance();
    expiry.setTime(now);
    expiry.add(Calendar.MINUTE, 5);
    JwtClaims jwtClaims = new JwtClaims();
    jwtClaims.setTokenId(tokenId);
    jwtClaims.setSubject(ADMIN_UNAME);
    jwtClaims.setIssuedAt(currentTime);
    jwtClaims.setIssuer(JWT_ISSUER);
    jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
    jwtClaims.setNotBefore(currentTime + 60L);
    JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, SignatureAlgorithm.HS512);
    JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
    JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
    JwsSignatureProvider jwsSignatureProvider = new HmacJwsSignatureProvider(JWS_KEY.getBytes(), SignatureAlgorithm.HS512);
    String signed = producer.signWith(jwsSignatureProvider);
    SyncopeClient jwtClient = clientFactory.create(signed);
    UserSelfService jwtUserSelfService = jwtClient.getService(UserSelfService.class);
    try {
        jwtUserSelfService.read();
        fail("Failure expected on a token that is not valid yet");
    } catch (AccessControlException ex) {
    // expected
    }
}
Also used : JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims) UserSelfService(org.apache.syncope.common.rest.api.service.UserSelfService) Calendar(java.util.Calendar) AccessControlException(java.security.AccessControlException) SyncopeClient(org.apache.syncope.client.lib.SyncopeClient) Date(java.util.Date) Response(javax.ws.rs.core.Response) JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders) JwsJwtCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer) AccessTokenService(org.apache.syncope.common.rest.api.service.AccessTokenService) HmacJwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider) NoneJwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider) HmacJwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider) Test(org.junit.jupiter.api.Test)

Example 32 with JwsJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project syncope by apache.

the class SAML2SPLogic method createLogoutRequest.

@PreAuthorize("isAuthenticated() and not(hasRole('" + StandardEntitlement.ANONYMOUS + "'))")
public SAML2RequestTO createLogoutRequest(final String accessToken, final String spEntityID) {
    check();
    // 1. fetch the current JWT used for Syncope authentication
    JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(accessToken);
    if (!consumer.verifySignatureWith(jwsSignatureVerifier)) {
        throw new IllegalArgumentException("Invalid signature found in Access Token");
    }
    // 2. look for IdP
    String idpEntityID = (String) consumer.getJwtClaims().getClaim(JWT_CLAIM_IDP_ENTITYID);
    if (idpEntityID == null) {
        throw new NotFoundException("No SAML 2.0 IdP information found in the access token");
    }
    SAML2IdPEntity idp = cache.get(idpEntityID);
    if (idp == null) {
        throw new NotFoundException("SAML 2.0 IdP '" + idpEntityID + "'");
    }
    if (idp.getSLOLocation(idp.getBindingType()) == null) {
        throw new IllegalArgumentException("No SingleLogoutService available for " + idp.getId());
    }
    // 3. create LogoutRequest
    LogoutRequest logoutRequest = new LogoutRequestBuilder().buildObject();
    logoutRequest.setID("_" + UUID_GENERATOR.generate().toString());
    logoutRequest.setDestination(idp.getSLOLocation(idp.getBindingType()).getLocation());
    DateTime now = new DateTime();
    logoutRequest.setIssueInstant(now);
    logoutRequest.setNotOnOrAfter(now.plusMinutes(5));
    Issuer issuer = new IssuerBuilder().buildObject();
    issuer.setValue(spEntityID);
    logoutRequest.setIssuer(issuer);
    NameID nameID = new NameIDBuilder().buildObject();
    nameID.setFormat((String) consumer.getJwtClaims().getClaim(JWT_CLAIM_NAMEID_FORMAT));
    nameID.setValue((String) consumer.getJwtClaims().getClaim(JWT_CLAIM_NAMEID_VALUE));
    logoutRequest.setNameID(nameID);
    SessionIndex sessionIndex = new SessionIndexBuilder().buildObject();
    sessionIndex.setSessionIndex((String) consumer.getJwtClaims().getClaim(JWT_CLAIM_SESSIONINDEX));
    logoutRequest.getSessionIndexes().add(sessionIndex);
    SAML2RequestTO requestTO = new SAML2RequestTO();
    requestTO.setIdpServiceAddress(logoutRequest.getDestination());
    requestTO.setBindingType(idp.getBindingType());
    try {
        // 3. generate relay state as JWT
        Map<String, Object> claims = new HashMap<>();
        claims.put(JWT_CLAIM_IDP_DEFLATE, idp.getBindingType() == SAML2BindingType.REDIRECT ? true : idp.isUseDeflateEncoding());
        Triple<String, String, Date> relayState = accessTokenDataBinder.generateJWT(logoutRequest.getID(), JWT_RELAY_STATE_DURATION, claims);
        requestTO.setRelayState(relayState.getMiddle());
        // 4. sign and encode AuthnRequest
        switch(idp.getBindingType()) {
            case REDIRECT:
                requestTO.setContent(saml2rw.encode(logoutRequest, true));
                requestTO.setSignAlg(saml2rw.getSigAlgo());
                requestTO.setSignature(saml2rw.sign(requestTO.getContent(), requestTO.getRelayState()));
                break;
            case POST:
            default:
                saml2rw.sign(logoutRequest);
                requestTO.setContent(saml2rw.encode(logoutRequest, idp.isUseDeflateEncoding()));
        }
    } catch (Exception e) {
        LOG.error("While generating LogoutRequest", e);
        SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
        sce.getElements().add(e.getMessage());
        throw sce;
    }
    return requestTO;
}
Also used : SessionIndexBuilder(org.opensaml.saml.saml2.core.impl.SessionIndexBuilder) SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO) Issuer(org.opensaml.saml.saml2.core.Issuer) NameID(org.opensaml.saml.saml2.core.NameID) HashMap(java.util.HashMap) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException) XSString(org.opensaml.core.xml.schema.XSString) DateTime(org.joda.time.DateTime) Date(java.util.Date) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException) NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder) LogoutRequestBuilder(org.opensaml.saml.saml2.core.impl.LogoutRequestBuilder) SAML2IdPEntity(org.apache.syncope.core.logic.saml2.SAML2IdPEntity) SessionIndex(org.opensaml.saml.saml2.core.SessionIndex) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) XMLObject(org.opensaml.core.xml.XMLObject) IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)

Example 33 with JwsJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project syncope by apache.

the class AccessTokenDataBinderImpl method update.

@Override
public Pair<String, Date> update(final AccessToken accessToken, final byte[] authorities) {
    JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(accessToken.getBody());
    credentialChecker.checkIsDefaultJWSKeyInUse();
    long duration = confDAO.find("jwt.lifetime.minutes", 120L);
    long currentTime = new Date().getTime() / 1000L;
    long expiry = currentTime + 60L * duration;
    consumer.getJwtClaims().setExpiryTime(expiry);
    Date expiryDate = new Date(expiry * 1000L);
    JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, jwsSignatureProvider.getAlgorithm());
    JwtToken token = new JwtToken(jwsHeaders, consumer.getJwtClaims());
    JwsJwtCompactProducer producer = new JwsJwtCompactProducer(token);
    String body = producer.signWith(jwsSignatureProvider);
    accessToken.setBody(body);
    // AccessToken stores expiry time in milliseconds, as opposed to seconds for the JWT tokens.
    accessToken.setExpiryTime(expiryDate);
    if (!adminUser.equals(accessToken.getOwner())) {
        accessToken.setAuthorities(authorities);
    }
    accessTokenDAO.save(accessToken);
    return Pair.of(body, expiryDate);
}
Also used : JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders) JwsJwtCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) Date(java.util.Date)

Example 34 with JwsJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project testcases by coheigea.

the class JWTJAXRSAuthenticationTest method testJWTKerberosAccessToken.

@org.junit.Test
public void testJWTKerberosAccessToken() throws Exception {
    URL busFile = JWTJAXRSAuthenticationTest.class.getResource("cxf-client.xml");
    // 1. Get a JWT Token from the STS via the REST interface for "alice"
    String jwtToken = getJWTTokenFromSTS(busFile);
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(jwtToken);
    JwtToken jwt = jwtConsumer.getJwtToken();
    Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
    Assert.assertTrue(((List<?>) jwt.getClaim(ROLE)).contains("boss"));
    // 2. Now call on the service using a custom HttpAuthSupplier
    String address = "https://localhost:" + PORT + "/doubleit/services";
    WebClient client = WebClient.create(address, busFile.toString()).type("application/xml");
    Map<String, Object> requestContext = WebClient.getConfig(client).getRequestContext();
    requestContext.put("auth.spnego.useKerberosOid", "true");
    KerbyHttpAuthSupplier authSupplier = new KerbyHttpAuthSupplier();
    authSupplier.setServicePrincipalName("bob/service.ws.apache.org@service.ws.apache.org");
    authSupplier.setServiceNameType(GSSName.NT_HOSTBASED_SERVICE);
    authSupplier.setJwtToken(jwtToken);
    WebClient.getConfig(client).getHttpConduit().setAuthSupplier(authSupplier);
    Number numberToDouble = new Number();
    numberToDouble.setDescription("This is the number to double");
    numberToDouble.setNumber(25);
    Response response = client.post(numberToDouble);
    Assert.assertEquals(response.getStatus(), 200);
    Assert.assertEquals(response.readEntity(Number.class).getNumber(), 50);
}
Also used : JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) Response(javax.ws.rs.core.Response) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) WebClient(org.apache.cxf.jaxrs.client.WebClient) URL(java.net.URL)

Example 35 with JwsJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project testcases by coheigea.

the class AuthorizationCodeFlowTest method validateIdToken.

private void validateIdToken(String idToken, String nonce) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken);
    JwtToken jwt = jwtConsumer.getJwtToken();
    // Validate claims
    Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
    Assert.assertEquals("OIDC IdP", jwt.getClaim(JwtConstants.CLAIM_ISSUER));
    Assert.assertEquals("consumer-id", jwt.getClaim(JwtConstants.CLAIM_AUDIENCE));
    Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
    Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
    if (nonce != null) {
        Assert.assertEquals(nonce, jwt.getClaim(IdToken.NONCE_CLAIM));
    }
    KeyStore keystore = KeyStore.getInstance("JKS");
    keystore.load(Loader.getResource("servicestore.jks").openStream(), "sspass".toCharArray());
    Certificate cert = keystore.getCertificate("myservicekey");
    Assert.assertNotNull(cert);
    Assert.assertTrue(jwtConsumer.verifySignatureWith((X509Certificate) cert, SignatureAlgorithm.RS256));
}
Also used : JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Aggregations

JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)76 JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)61 JWTTokenProvider (org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider)33 Response (javax.ws.rs.core.Response)20 WebClient (org.apache.cxf.jaxrs.client.WebClient)18 URL (java.net.URL)17 Element (org.w3c.dom.Element)15 JAXBElement (javax.xml.bind.JAXBElement)13 Crypto (org.apache.wss4j.common.crypto.Crypto)13 KeyStore (java.security.KeyStore)12 X509Certificate (java.security.cert.X509Certificate)12 ArrayList (java.util.ArrayList)10 Date (java.util.Date)10 ClaimsHandler (org.apache.cxf.sts.claims.ClaimsHandler)10 ClaimsManager (org.apache.cxf.sts.claims.ClaimsManager)10 CustomClaimsHandler (org.apache.cxf.sts.common.CustomClaimsHandler)10 CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)10 TokenProvider (org.apache.cxf.sts.token.provider.TokenProvider)9 Document (org.w3c.dom.Document)9 Certificate (java.security.cert.Certificate)8